Visa turns to risk-based authentication as e-commerce evolves

Visa is aiming to enhance security and convenience when buying online, whatever device you use.

The payment company has announced planned changes to Verified by Visa (VbV), its online authentication service, and to Three-Domain Secure (3-D Secure), the industry-wide messaging protocol for online authentication on which VbV is based.

These updates are designed to make digital payments safer and easier for consumers, merchants and financial institutions.

“E-commerce looks very different today than it did 20 years ago, when personal computers were the only avenue for shopping online,” Visa explained. “Today, the e-commerce environment is mature and expanding, with consumers choosing among their laptop, tablet, mobile browser and mobile apps. With so many ways to shop, retailers must make their payment process both secure and free of burdensome steps that lead to abandoned shopping carts.”

The company went on to note that fraudsters are increasingly moving online, and deploying ever more sophisticated attack techniques, making authenticating today’s online shoppers more complex, but more essential.

In response, Visa will make greater use of risk-based and dynamic authentication, assessing a transaction’s riskiness by analysing contextual data about purchases. This can include behavioural checks (has the cardholder shopped online here before?), device checks (where is this device located? has the cardholder shopped from it in the past?), and merchant checks (does this merchant generate a high proportion of fraudulent transactions?).

For the vast majority of transactions that are deemed low risk, the purchase will proceed without additional authentication. And for the less than 5% of transactions that are flagged up for further authentication, a one-time dynamic passcode can be sent to the shopper’s device, via SMS or email, to verify identity instead of asking him or her to enrol and enter a static password.

Visa will begin phasing out Verified by Visa static passwords from April 2018.

Meanwhile, an enhanced version of the 3-D Secure specification, called 3-D Secure 2.0, will roll out later this year. According to Visa, it includes features designed to address the rise of new technologies and ways to pay, including support for e-commerce transactions from mobile devices and apps, while also providing a foundation to support new device types such as connected cars and refrigerators.